I'm trying to implement a policy to block USB storage devices using Intune, but I still need mice, keyboards, and docking stations to function. I followed a guide from Microsoft to set this up, but I'm facing an issue. While the policy effectively blocks USB devices, it seems to block everything, including essential peripherals. For instance, when I plug in a Dell MS116 optical mouse, it shows up as an 'other device' in Device Manager without a Class GUID assigned, which is why it isn't working. When I plug the same mouse into a device where the policy isn't applied, it's recognized correctly as a HID-Compliant mouse with the right Class GUID. It feels like the policy is blocking the device before it has a chance to register correctly. Is there a way around this problem?
3 Answers
Instead of trying to block all USB devices, why not just restrict access to removable storage? You can find the setting in the Administrative Templates under Removable Storage Access. Just enable 'Deny all access' for all removable storage classes and you should be good to go!
If your main concern is blocking storage devices while keeping HID devices functional, you might want to rethink the Class GUID exceptions. The policy you’ve set blocks installation before Windows can identify it as a HID device, which is why you see the yellow triangle. Consider using Removable Storage Access settings or Device Control with specific hardware ID permissions instead.
One option is to disable removable storage and remove admin rights from users. This would prevent them from reversing the settings you put in place.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures